Chapter 12 Administering External User Databases
Unknown User Processing
12-4
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
to use the password type and database that succeeded on this authentication
attempt. Users added by unknown user processing are flagged as such within
the CiscoSecure user database and are called discovered users.
The next time the discovered user tries to authenticate, Cisco Secure ACS
authenticates the user against the database that was successful the first time.
Discovered users are treated the same as known users.
3.
If the unknown user fails authentication with all configured external
databases, the user is not added to the CiscoSecure user database, and the
authentication request is rejected.
Because usernames in the CiscoSecure user database must be unique,
Cisco Secure ACS supports a single instance of any given username across all the
databases it is configured to use. For example, assume every external user
database contains a user account with the username John. Each account is for a
different user, but they each, coincidentally, have the same username. After the
first John attempts to access the network and has authenticated through the
unknown user process, Cisco Secure ACS retains a discovered user account for
that John and only that John. Now, Cisco Secure ACS tries to authenticate
subsequent attempts by any user named John using the same external user
database that originally authenticated John. Assuming their passwords are
different than the password for the John who authenticated first, the other Johns
are unable to access the network.
Note
The scenario given above is handled differently if the user accounts with identical
usernames exist in separate Windows domains. For more information, see
Authentication Request Handling and Rejection Mode with the
Windows NT/2000 User Database, page 12-4
.
Authentication Request Handling and Rejection Mode with the
Windows NT/2000 User Database
Because it is a native Windows application, Cisco Secure ACS treats
authentication with a Windows NT/2000 user database as a special case. Windows
can provide added functionality to the remote access authentication process.
Perhaps the most important aspect of this added functionality is support for
multiple occurrences of the same username across the trusted domains against
which Cisco Secure ACS authenticates access requests.